RADIUSdesk

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
2021:xiaomi_power [2021/11/16 14:54] – created admin2021:xiaomi_power [2021/11/17 06:00] (current) – [Edit The Factory Block] admin
Line 1: Line 1:
 ====== Xiaomi Up The Power  ====== ====== Xiaomi Up The Power  ======
-===== Are You Low On Power? ===== +===== Are You Low On TX Power? ===== 
-  * Some of the Mediatek 7628 based Xiaomi models e.g. 4C and 4A 100M edition might suffer from very low transmit power +  * Some of the Mediatek **7628** based Xiaomi models does not use the all the available transmit power when running OpenWrt 
 +  * Both the **4A 100M Edition** and **4C** I purchased had this issue. 
 +  * Fortunately the fix is fairly simple. 
 + 
 +===== Up The TX Power - The Action Plan  ===== 
 +  * The Flash chip of the device is segmented in various blocks. 
 +  * One of these blocks is called **factory** and contains things specific to the device e.g. its MAC Address. 
 +  * When the operating system then boots up it reads a know location on this bloc to get and configure the device with the correct MAC Address. 
 +  * This block is also consulted when applying a limit on the broadcast power of the radio. 
 +  * <wrap em>With the default values in the **factory** block some devices has a limit of only 14.0 dBm TX power on the 2.4 radio.</wrap> 
 +  * This is despite the fact that the radio on the device is capable to transmit much more. 
 +  * To overcome this limitation we will do the following on each device: 
 +        * Flash a copy of the OpenWrt with MESHdesk firmware in device //(it has kmod-mtd-rw included already)//
 +        * Make a backup of the **factory** mtd block. 
 +        * Modify some values in the copy of the **factory** mtd block. 
 +        * Write the updated **factory** mtd block back to the device. 
 +        * Reboot 
 +        * Unleash the fury. 
 + 
 +===== Current TX Power ===== 
 +  * To check what the current TX power limit is ssh into the device and issue the flowing command 
 + 
 +<code shell> 
 +iw list 
 +#Look For This section 
 + HT TX/RX MCS rate indexes supported: 0-15 
 + Frequencies: 
 + * 2412 MHz [1] (14.0 dBm) 
 + * 2417 MHz [2] (14.0 dBm) 
 + * 2422 MHz [3] (14.0 dBm) 
 + * 2427 MHz [4] (14.0 dBm) 
 + * 2432 MHz [5] (14.0 dBm) 
 + * 2437 MHz [6] (14.0 dBm) 
 + * 2442 MHz [7] (14.0 dBm) 
 + * 2447 MHz [8] (14.0 dBm) 
 + * 2452 MHz [9] (14.0 dBm) 
 + * 2457 MHz [10] (14.0 dBm) 
 + * 2462 MHz [11] (14.0 dBm) 
 + * 2467 MHz [12] (disabled) 
 + * 2472 MHz [13] (disabled) 
 + * 2484 MHz [14] (disabled) 
 + valid interface combinations: 
 +</code> 
 +  * There you can see our device is limited to 14 dBm transmit power. 
 + 
 +===== Backup factory block ===== 
 +  * For this we use the Luci web interface to the device. 
 +  * Go to **System** -> **Backup / Flash Firmware**. 
 +  * Under **Save mtdblock contents** select the **factory** mtdblock. 
 +  * Click the **SAVE MTDBLOCK** button to download it. 
 +  * The name of the file has a convention of <HOSTNAME>.<Partition name>.bin (e.g. 4C-GW.mtd2.bin) 
 + 
 +<WRAP center round tip 90%> 
 +Keep in mind that the factory block on each device is unique to that device and has to be treated as such. 
 +</WRAP> 
 + 
 +===== Edit The Factory Block ===== 
 +  * This is probably equivalent to brain surgery on a device LOL 
 +  * Open the factory block file with a hex editor. We use GHex on Ubuntu. 
 +  * Starting from address **A0** is a row of values. 
 +  * There are **14** of them. 
 +  * On my **4C** it is **C0**. 
 +  * On the **4A 100M** the value was **80** instead of **C0** but the 14x pattern was still present. 
 +  * See screenshot below 
 +{{:2021:hex_4c.png?nolink|}} 
 +  * Change those values to **FF**. 
 +{{:2021:hex_4c_hp.png?nolink|}} 
 +  * Save the file under another name to show its the high power tweaked one e.g. 4C-GW.mtd2_hp.bin 
 + 
 +===== Replace The factory Block  ===== 
 +  * Copy the modified file to the ///tmp// directory on the device. 
 +  * Insert the **mtd-rw** kernel module. 
 +  * Override the old **factory** block. 
 +<code bash> 
 +#My AP is on 192.168.8.120 
 +scp 4C-GW.mtd2_hp.bin root@192.168.8.120:/tmp 
 +#ssh into it 
 +ssh root@192.168.8.120 
 +#cd to /tmp 
 +cd /tmp 
 +#Insert the mtd_rw module  
 +# (You can potentially break the router but it is rare that's why you need the permission flag) 
 +insmod mtd-rw.ko i_want_a_brick=1 
 +#Substitute the name to match your file name 
 +mtd write /tmp/4C-GW.mtd2_hp.bin factory 
 +# This will happen 
 +..... 
 +Unlocking factory ... 
 + 
 +Writing from /tmp/4C-GW.mtd2_hp.bin to factory ...  
 +# Reboot the device 
 +</code>  
 + 
 +===== UNLEASH THE FURY===== 
 + 
 +<WRAP round box> 
 +==== UNLEASH THE FURY - HOWTO ==== 
 +{{ youtube>LLMMx3MRi0s }} 
 +\\ 
 +During boot time shout **Unleash the Fury** at the Xiaomi  
 +</WRAP> 
 + 
 +  * SSH into the device to check if it worked. 
 +<code bash> 
 +iw list  
 + 
 +#Look for this... 
 +Maximum RX AMPDU length 65535 bytes (exponent: 0x003) 
 + Minimum RX AMPDU time spacing: No restriction (0x00) 
 + HT TX/RX MCS rate indexes supported: 0-15 
 + Frequencies: 
 + * 2412 MHz [1] (30.0 dBm) 
 + * 2417 MHz [2] (30.0 dBm) 
 + * 2422 MHz [3] (30.0 dBm) 
 + * 2427 MHz [4] (30.0 dBm) 
 + * 2432 MHz [5] (30.0 dBm) 
 + * 2437 MHz [6] (30.0 dBm) 
 + * 2442 MHz [7] (30.0 dBm) 
 + * 2447 MHz [8] (30.0 dBm) 
 + * 2452 MHz [9] (30.0 dBm) 
 + * 2457 MHz [10] (30.0 dBm) 
 + * 2462 MHz [11] (30.0 dBm) 
 + * 2467 MHz [12] (disabled) 
 + * 2472 MHz [13] (disabled) 
 + * 2484 MHz [14] (disabled) 
 +</code> 
 + 
 + 
 + 
 + 
 + 
  
  
Last modified: 2021/11/16 14:54